Add CVE-2020-14334 to security page #1654
Conversation
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
0e09f2b
to
e833e4e
Compare
security.md
Outdated
| *Mitigation:* change cache directory mode `o-r`. | ||
|
|
||
| * Affects RPM installations | ||
| * Fix released in Foreman 2.1 |
There was a problem hiding this comment.
the fix will be in Foreman 2.2.0, 2.1.1 and 2.0.2 and higher
security.md
Outdated
| #### <a id="2020-14334"></a>CVE-2020-14334: World readable cache could expose sensitive settigs | ||
| Even encrypted settings have their raw values cached. Too permissive mode on cache dir caused, that anyone with access to the hosting system could read this encrypted settings. | ||
|
|
||
| *Mitigation:* change cache directory mode `o-r`. |
There was a problem hiding this comment.
please specify which directories
security.md
Outdated
|
|
||
| *Mitigation:* change cache directory mode `o-r`. | ||
|
|
||
| * Affects RPM installations |
There was a problem hiding this comment.
It was part of theforeman/foreman-packaging@847450f which is titled Import foreman. Prior to that RPM specs were in foreman.git and was introduced in theforeman/foreman@d30ac55. So my guess is Foreman 1.3 when using RPMs and the file cache backend. That means users of memcached are unaffected by this particular bug, though that does listen on a TCP port which is usually also accessible by local users.
There was a problem hiding this comment.
Thanks ❤️ I was not able to find it out, I did not know about the switch to packaging repo :)
There was a problem hiding this comment.
Altough back then there might not be any sensitive information in the cache... 🤔
There was a problem hiding this comment.
OAuth was added in theforeman/foreman@fceb1f8, released in version 1.1 and already used settings. Caching of settings was added in theforeman/foreman@d9a2eba, also in 1.1.
There was a problem hiding this comment.
There are some passwords, those should be considered compromised as well if there was a possibility to use this vulnerability.
https://github.com/search?q=org%3Atheforeman+%22encrypted+%3D%3E+true%22&type=Code
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
e833e4e
to
9eb4e0f
Compare
security.md
Outdated
| #### <a id="2020-14334"></a>CVE-2020-14334: World readable cache could expose sensitive settigs | ||
| Even encrypted settings have their raw values cached. Too permissive mode on cache dir caused, that anyone with access to the hosting system could read this encrypted settings. | ||
|
|
||
| *Mitigation:* change cache directory mode `o-r` on `/run/foreman`. |
There was a problem hiding this comment.
This is not a correct mitigation because it's lost at reboot. You must manually change the tmpfiles as well.
There was a problem hiding this comment.
Change that to advise the temfile rewrite from /etc/tmpfiles.d
|
Do we want to suggest to rotate OAuth keys, or at least provide instructions? Are there other secrets there that might have leaked? |
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
9eb4e0f
to
afe2e83
Compare
|
I've tried to suggest the rotation of OAuth keys and passwords, but I'm not sure if we should provide more information. List of settings that might have been affected: https://github.com/search?q=org%3Atheforeman+%22encrypted+%3D%3E+true%22&type=Code |
security.md
Outdated
| d /run/foreman 0750 foreman foreman - | ||
| ``` | ||
|
|
||
| Additionaly it's better to rotate the OAuth keys and Remote Execution passwords |
There was a problem hiding this comment.
| Additionaly it's better to rotate the OAuth keys and Remote Execution passwords | |
| In case the system may have been accessed locally by an un-trusted user, it may be prudent to change and secrets stored in the settings, such as OAuth keys or remote execution passwords. |
security.md
Outdated
| Even encrypted settings have their raw values cached. Too permissive mode on cache dir caused, that anyone with access to the hosting system could read this encrypted settings. | ||
|
|
||
| *Mitigation:* override directory mode to `750`. | ||
| To do so, create a file `/etc/tmpfiles.d/foreman.conf` with following content and reboot the system. |
There was a problem hiding this comment.
This file should already be present if i'm not mistaken? Also, iiuc this modification is only needed so the change survives reboots, the user can also manually chmod the folder for the currently running instance without requiring a full reboot.
There was a problem hiding this comment.
No, we ship to /usr/lib/tmpfiles.d/foreman.conf. The downside of creating /etc/tmpfiles.d/foreman.conf is that if we want to make further changes in the future, then users won't get them. However, users probably also shouldn't change /usr/lib.
Changing in /usr/lib/tmpfiles.d means they get updated in the future, but if they update from unsupported-x.y to unsupported-x.z then they lose the protection. OTOH, they should just update to a supported version.
I'm conflicted on the best advise, but slightly leaning to /usr/lib/tmpfiles.d.
@theforeman/packaging what would you advise?
There was a problem hiding this comment.
etc is for overrides if package defaults, and thats exactly whats needed here. So IMHO etc and the hint to remove that file after upgrading to a fixed release.
There was a problem hiding this comment.
systemd-tmpfiles.d does not allow for drop-ins like with unit files, but it explicitly mentions splitting the configuration for easier overwriting of configuration.
Each configuration file shall be named in the style of package.conf or package-part.conf. The second variant should be used when it is desirable to make it easy to override just this part of configuration.
So perhaps it would make sense to split it up and store values in /usr/lib/tmpfiles.d where packages should install the files? Not sure if this would mess things up, but perhaps an idea for the future. But I am also pro /usr/lib/tmpfiles.d.
For those already having created local configuration in /etc/tmpfiles.d, it makes sense to advice them to adjust configuration, but I would leave this to documentation and perhaps it is possible to have a migration in the foreman-installer which checks for the CVE, links to it and provides a simple sed for mitigation?
There was a problem hiding this comment.
I updated the suggestion to update of the /usr/lib/tmpfile.d as @ekohl is mentioning, the next upgrade should be to a supported version, so this solution will leave the least traces in the system.
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
2 times, most recently
from
9e8af50
to
e6e8d24
Compare
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
e6e8d24
to
ab7c747
Compare
security.md
Outdated
| ``` | ||
| d /run/foreman 0750 foreman foreman - | ||
| ``` | ||
| For the change to have effect immediatelly run `systemd-tmpfiles --create` or change the directory mode manually by running `chmod 755 /run/foreman`. |
There was a problem hiding this comment.
I like the systemd-tmpfiles --create suggestion since you verify the state post-reboot. I'd leave off the chmod command. Also note you have 755 in the current command
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
ab7c747
to
e541da1
Compare
security.md
Outdated
| Even encrypted settings have their raw values cached. Too permissive mode on cache dir caused, that anyone with access to the hosting system could read this encrypted settings. | ||
|
|
||
| *Mitigation:* override `/run/foreman` directory mode to `0750`. | ||
| To do so in a manner that survives reboot, update a file `/usr/lib/tmpfiles.d/foreman.conf`. |
There was a problem hiding this comment.
It feels more natural to use the definitive article here since we know what we're talking about.
| To do so in a manner that survives reboot, update a file `/usr/lib/tmpfiles.d/foreman.conf`. | |
| To do so in a manner that survives reboot, update the file `/usr/lib/tmpfiles.d/foreman.conf`. |
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
e541da1
to
107ba25
Compare
|
@tbrisker, any more comments? :) |
security.md
Outdated
| ``` | ||
| For the change to have effect immediatelly run `systemd-tmpfiles --create`. | ||
|
|
||
| In case the system may have been accessed locally by an un-trusted user, it may be prudent to change and secrets stored in the settings, such as OAuth keys or remote execution passwords. |
There was a problem hiding this comment.
just a tiny typo:
| In case the system may have been accessed locally by an un-trusted user, it may be prudent to change and secrets stored in the settings, such as OAuth keys or remote execution passwords. | |
| In case the system may have been accessed locally by an un-trusted user, it may be prudent to change any secrets stored in the settings, such as OAuth keys or remote execution passwords. |
ezr-ondrej
force-pushed
the
cve-2020-14334
branch
from
107ba25
to
bb98a00
Compare
No description provided.